sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
4.5. Logging file list<br />
The malware saves ~rf files in /windows/temp. This operation seems to be<br />
automatic, but perhaps it may also be remotely controlled. These files are encrypted with<br />
the E1 encryption algorithm (see above). After decryption, the file appears to be an SQLite3<br />
database, storing information on drivers, directories, and file names.<br />
Figure 37 – SQLite database format for ~rf files [file db]<br />
<strong>Lab</strong>oratory of Cryptography and System Security (<strong>CrySyS</strong>)<br />
Budapest University of Technology and Economics<br />
www.crysys.hu 38